If you’re into this kind of thing the Rigol 1052e hack should have already popped to mind. That was a firmware crippled device that, when unlocked, made the cheaper model behave the same ways as it’s $400 more expensive sibling. This doesn’t have quite the same impact, as the price difference is somewhere between $20-$100. Still, this stuff is just cool, right?

A few posts down in the thread linked above [Gnif] shares the story of how he found the hack. After shorting the i2c lines of the EEPROM while powering up the meter he was able to see that the device initializes a lot of its values to 0xFF when it can’t find the stored data. The next step was to use an STM32 board to dump the EEPROM contents. With the backup file stored safely he started changing values and reflashing the chip. Through this process he discovered that switching one byte from 0x01 to 0x02 enabled the higher model’s features. It also works for upgrading the U1732C to the U1733C feature set.